[jboss-user] [Security & JAAS/JBoss] - Re: Script to create wildcard certificate chain in keystore

mozkill do-not-reply at jboss.com
Thu Dec 11 12:45:12 EST 2008

Here is the raw code for the DOS batch file if you dont want to visit the blog.

@echo off
  | setlocal
  | @rem ------------------------------------------------------------------
  | @rem  This script generates a server certificate suitable to be signed
  | @rem    by an authorized CA.  If OpenSSL is installed, it can make a 
  | @rem    signing CA for you.
  | @rem 
  | @rem  This script requires: OpenSSL, JDK
  | @rem ------------------------------------------------------------------
  | @rem set JBOSSHOME="C:\Justice\jboss"
  | ::Get the home directory of the most recent JDK
  | start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit\%JavaTemp%"
  | type reg1.txt | find "JavaHome" > reg2.txt
  | if errorlevel 1 goto ERROR
  | for /f "tokens=2 delims==" %%x in (reg2.txt) do set JavaTemp=%%~x
  | if errorlevel 1 goto ERROR
  | echo Java home path (per registry) = %JavaTemp%
  | set JAVAHOME=%JavaTemp%
  | set PATH=%PATH%;%JAVAHOME%\bin
  | del reg1.txt reg2.txt
  | echo Detected JDK and added it to PATH.
  | ::Get the home directory of OpenSSL
  | start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\%SSLPath%"
  | type reg1.txt | find "OPENSSL_PATH" > reg2.txt
  | if errorlevel 1 goto ERROR
  | for /f "tokens=2 delims==" %%x in (reg2.txt) do set SSLPath=%%~x
  | if errorlevel 1 goto ERROR
  | echo OpenSSL home path (per registry) = %JavaTemp%
  | set OPENSSL_HOME=%SSLPath%
  | del reg1.txt reg2.txt
  | echo Detected OpenSSL and added it to PATH.
  | echo %PATH%
  | @rem Create storage directories
  | echo Creating work directories if they do not already exist.
  | mkdir %OPENSSL_HOME%\..\myCerts
  | cd %OPENSSL_HOME%\..\myCerts
  | mkdir private
  | mkdir %OPENSSL_HOME%\..\demoCA
  | cd %OPENSSL_HOME%\..\demoCA
  | mkdir private
  | mkdir newcerts
  | cd %OPENSSL_HOME%\..\
  | echo Done.
  | @rem  Ask to create certificate authority
  | set /P GENERATECA=Do you want to generate you own 10 year Certificate Authority? [y]: 
  | if "%GENERATECA%" == "" (set GENERATECA=y)
  |    @echo.
  | if "%GENERATECA%" == "y" (
  | openssl req -config %OPENSSL_HOME%\openssl.cfg -new -x509 -extensions v3_ca -keyout %OPENSSL_HOME%\..\demoCA\private\cakey.pem -out %OPENSSL_HOME%\..\demoCA\cacert.pem -days 1096
  | )
  | @ECHO  Finished generating a certificate authority.  Your site certificate will be signed with this authority.
  |    @echo.
  | @rem  Ask to create site certificate chain
  | set /P GENCERT=Do you want to generate a site certificate signed by your Certificate Authority? [n]: 
  | if "%GENCERT%" == "" (set GENCERT=n)
  |    @echo.
  | if "%GENCERT%" == "n" GOTO ERROR    
  | @ECHO Generating your server certificate inside a new keystore.
  | @ECHO Enter *.your.domain if you wish to generate a wildcard certificate.
  | keytool -genkey -alias tomcat -keyalg RSA -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb
  | @ECHO Generating a certificate request that will be used by your certificate authority to sign your cert.
  | keytool -certreq -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -file %OPENSSL_HOME%\..\myCerts\tomcat.csr
  | @ECHO Ready to import the cacert.pem public cert from your self created CA in directory .\demoCA .
  | keytool -import -alias root -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\demoCA\cacert.pem
  | if exist %OPENSSL_HOME%\..\demoCA\private\cakey.pem (
  | @rem  If you have used this script to create a CA with openssl then this segment will sign the CSR with 
  | @rem  your certificate authority from .\demoCA\private\demoCA.key and saves it as .\myCerts\tomcat.crt and converts it to DER format.
  |   echo Signing CSR and saving tomcat.crt
  |   copy /Y %OPENSSL_HOME%\PEM\demoCA\index.txt %OPENSSL_HOME%\..\demoCA
  |   copy /Y %OPENSSL_HOME%\PEM\demoCA\serial %OPENSSL_HOME%\..\demoCA
  |   openssl ca -config %OPENSSL_HOME%\openssl.cfg -policy policy_anything -out %OPENSSL_HOME%\..\myCerts\tomcat.crt -infiles %OPENSSL_HOME%\..\myCerts\tomcat.csr
  |   openssl x509 -in %OPENSSL_HOME%\..\myCerts\tomcat.crt -inform PEM -out %OPENSSL_HOME%\..\myCerts\tomcat.der -outform DER
  | )
  | @ECHO Ready to import CA signed CSR response into your keystores certificate.
  | keytool -import -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\myCerts\tomcat.der
  | @ECHO List the contents.
  | keytool -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -list -v
  | @rem  Finally, copy the keystore to JBoss.
  | @rem copy keystore.kdb %JBOSSHOME%\bin /y
  | :ERROR
  | echo Ending script.
  | pause

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4196016#4196016

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4196016

More information about the jboss-user mailing list